Remove [ssl] parameters
... because these were already removed from Keystone during Newton cycle[1]. Note some parameters like [ssl] enabled were earlier migrated to the [eventlet_server_ssl] section[2] but later removed during Newton by a different patch[3]. [1] 20b851b240bc74694737a9a2e8f58816882b59ae [2] 2ed506995850ff5b60cac0be858d65375d15bf4b [3] ac039414ce997cfcafa09efa9e089e09c3058b70 Closes-Bug: #1967717 Change-Id: I74fe1bce563ff084ebe43425c3f6ffe51b321014
This commit is contained in:
parent
b038f20126
commit
0954fea1d6
@ -166,32 +166,6 @@
|
||||
# keystone listens for connections) (string value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*enable_ssl*]
|
||||
# (Optional) Toggle for SSL support on the keystone eventlet servers.
|
||||
# (boolean value)
|
||||
# Defaults to false
|
||||
#
|
||||
# [*ssl_certfile*]
|
||||
# (Optional) Path of the certfile for SSL. (string value)
|
||||
# Defaults to '/etc/keystone/ssl/certs/keystone.pem'
|
||||
#
|
||||
# [*ssl_keyfile*]
|
||||
# (Optional) Path of the keyfile for SSL. (string value)
|
||||
# Defaults to '/etc/keystone/ssl/private/keystonekey.pem'
|
||||
#
|
||||
# [*ssl_ca_certs*]
|
||||
# (Optional) Path of the ca cert file for SSL. (string value)
|
||||
# Defaults to '/etc/keystone/ssl/certs/ca.pem'
|
||||
#
|
||||
# [*ssl_ca_key*]
|
||||
# (Optional) Path of the CA key file for SSL (string value)
|
||||
# Defaults to '/etc/keystone/ssl/private/cakey.pem'
|
||||
#
|
||||
# [*ssl_cert_subject*]
|
||||
# (Optional) SSL Certificate Subject (auto generated certificate)
|
||||
# (string value)
|
||||
# Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost'
|
||||
#
|
||||
# [*service_name*]
|
||||
# (Optional) Name of the service that will be providing the
|
||||
# server functionality of keystone. For example, the default
|
||||
@ -374,6 +348,32 @@
|
||||
# (Optional) Where to log
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*enable_ssl*]
|
||||
# (Optional) Toggle for SSL support on the keystone eventlet servers.
|
||||
# (boolean value)
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ssl_certfile*]
|
||||
# (Optional) Path of the certfile for SSL. (string value)
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ssl_keyfile*]
|
||||
# (Optional) Path of the keyfile for SSL. (string value)
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ssl_ca_certs*]
|
||||
# (Optional) Path of the ca cert file for SSL. (string value)
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ssl_ca_key*]
|
||||
# (Optional) Path of the CA key file for SSL (string value)
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*ssl_cert_subject*]
|
||||
# (Optional) SSL Certificate Subject (auto generated certificate)
|
||||
# (string value)
|
||||
# Defaults to undef
|
||||
#
|
||||
# == Authors
|
||||
#
|
||||
# Dan Bode dan@puppetlabs.com
|
||||
@ -394,12 +394,6 @@ class keystone(
|
||||
$revoke_driver = $::os_service_default,
|
||||
$revoke_by_id = true,
|
||||
$public_endpoint = $::os_service_default,
|
||||
$enable_ssl = false,
|
||||
$ssl_certfile = '/etc/keystone/ssl/certs/keystone.pem',
|
||||
$ssl_keyfile = '/etc/keystone/ssl/private/keystonekey.pem',
|
||||
$ssl_ca_certs = '/etc/keystone/ssl/certs/ca.pem',
|
||||
$ssl_ca_key = '/etc/keystone/ssl/private/cakey.pem',
|
||||
$ssl_cert_subject = '/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
|
||||
$manage_service = true,
|
||||
$enabled = true,
|
||||
$rabbit_heartbeat_timeout_threshold = $::os_service_default,
|
||||
@ -450,6 +444,12 @@ class keystone(
|
||||
$catalog_type = undef,
|
||||
$log_dir = undef,
|
||||
$log_file = undef,
|
||||
$enable_ssl = undef,
|
||||
$ssl_certfile = undef,
|
||||
$ssl_keyfile = undef,
|
||||
$ssl_ca_certs = undef,
|
||||
$ssl_ca_key = undef,
|
||||
$ssl_cert_subject = undef,
|
||||
) inherits keystone::params {
|
||||
|
||||
include keystone::deps
|
||||
@ -463,6 +463,18 @@ class keystone(
|
||||
}
|
||||
}
|
||||
|
||||
[
|
||||
'enable_ssl',
|
||||
'ssl_certfile',
|
||||
'ssl_ca_certs',
|
||||
'ssl_ca_key',
|
||||
'ssl_cert_subject'
|
||||
].each |String $ssl_opt| {
|
||||
if getvar($ssl_opt) != undef {
|
||||
warning("The ${ssl_opt} parameter has been deprecated and has no effect.")
|
||||
}
|
||||
}
|
||||
|
||||
if $manage_policyrcd {
|
||||
# openstacklib policy_rcd only affects debian based systems.
|
||||
Policy_rcd <| title == 'keystone' |> -> Package['keystone']
|
||||
@ -544,25 +556,14 @@ class keystone(
|
||||
'policy/driver': value => $policy_driver;
|
||||
}
|
||||
|
||||
# ssl config
|
||||
if ($enable_ssl) {
|
||||
# TODO(tkajinam): Remove this after Z-release
|
||||
keystone_config {
|
||||
'ssl/enable': value => true;
|
||||
'ssl/certfile': value => $ssl_certfile;
|
||||
'ssl/keyfile': value => $ssl_keyfile;
|
||||
'ssl/ca_certs': value => $ssl_ca_certs;
|
||||
'ssl/ca_key': value => $ssl_ca_key;
|
||||
'ssl/cert_subject': value => $ssl_cert_subject;
|
||||
}
|
||||
} else {
|
||||
keystone_config {
|
||||
'ssl/enable': value => false;
|
||||
'ssl/certfile': value => $::os_service_default;
|
||||
'ssl/keyfile': value => $::os_service_default;
|
||||
'ssl/ca_certs': value => $::os_service_default;
|
||||
'ssl/ca_key': value => $::os_service_default;
|
||||
'ssl/cert_subject': value => $::os_service_default;
|
||||
}
|
||||
'ssl/enable': ensure => absent;
|
||||
'ssl/certfile': ensure => absent;
|
||||
'ssl/keyfile': ensure => absent;
|
||||
'ssl/ca_certs': ensure => absent;
|
||||
'ssl/ca_key': ensure => absent;
|
||||
'ssl/cert_subject': ensure => absent;
|
||||
}
|
||||
|
||||
oslo::middleware { 'keystone_config':
|
||||
|
12
releasenotes/notes/bug-1967717-9775a5b195672923.yaml
Normal file
12
releasenotes/notes/bug-1967717-9775a5b195672923.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
deprecations:
|
||||
- |
|
||||
The following parameters of the ``keystone`` class have been deprecated and
|
||||
have no effect now.
|
||||
|
||||
- ``enable_ssl``
|
||||
- ``ssl_certfile``
|
||||
- ``ssl_keyfile``
|
||||
- ``ssl_ca_certs``
|
||||
- ``ssl_ca_key``
|
||||
- ``ssl_cert_subject``
|
@ -38,12 +38,12 @@ describe 'keystone' do
|
||||
is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('revoke/driver').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('policy/driver').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/enable').with_value(false)
|
||||
is_expected.to contain_keystone_config('ssl/certfile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/keyfile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/ca_certs').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/ca_key').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/cert_subject').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/enable').with_ensure('absent')
|
||||
is_expected.to contain_keystone_config('ssl/certfile').with_ensure('absent')
|
||||
is_expected.to contain_keystone_config('ssl/keyfile').with_ensure('absent')
|
||||
is_expected.to contain_keystone_config('ssl/ca_certs').with_ensure('absent')
|
||||
is_expected.to contain_keystone_config('ssl/ca_key').with_ensure('absent')
|
||||
is_expected.to contain_keystone_config('ssl/cert_subject').with_ensure('absent')
|
||||
is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)
|
||||
|
||||
is_expected.to contain_oslo__middleware('keystone_config').with(
|
||||
@ -145,12 +145,6 @@ describe 'keystone' do
|
||||
is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value(12)
|
||||
is_expected.to contain_keystone_config('revoke/driver').with_value('sql')
|
||||
is_expected.to contain_keystone_config('policy/driver').with_value('sql')
|
||||
is_expected.to contain_keystone_config('ssl/enable').with_value(false)
|
||||
is_expected.to contain_keystone_config('ssl/certfile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/keyfile').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/ca_certs').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/ca_key').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('ssl/cert_subject').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)
|
||||
|
||||
is_expected.to contain_oslo__middleware('keystone_config').with(
|
||||
@ -221,20 +215,6 @@ describe 'keystone' do
|
||||
it { is_expected.not_to contain_exec('keystone-manage db_sync') }
|
||||
end
|
||||
|
||||
context 'when enabling SSL' do
|
||||
let :params do
|
||||
{
|
||||
'enable_ssl' => true,
|
||||
}
|
||||
end
|
||||
it {is_expected.to contain_keystone_config('ssl/enable').with_value(true)}
|
||||
it {is_expected.to contain_keystone_config('ssl/certfile').with_value('/etc/keystone/ssl/certs/keystone.pem')}
|
||||
it {is_expected.to contain_keystone_config('ssl/keyfile').with_value('/etc/keystone/ssl/private/keystonekey.pem')}
|
||||
it {is_expected.to contain_keystone_config('ssl/ca_certs').with_value('/etc/keystone/ssl/certs/ca.pem')}
|
||||
it {is_expected.to contain_keystone_config('ssl/ca_key').with_value('/etc/keystone/ssl/private/cakey.pem')}
|
||||
it {is_expected.to contain_keystone_config('ssl/cert_subject').with_value('/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')}
|
||||
end
|
||||
|
||||
context 'with RabbitMQ communication SSLed' do
|
||||
let :params do
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user